试验内容:
OSPF实验11: Configure OSPF topology with two Areas and two ABRs
OSPF实验12: Using Type-3 LSA Inter-Area Filtering
OSPF实验13: Type-3 LSA Filtering with Network Ranges
OSPF实验14: Ingress Filtering with Distribute-List
OSPF实验15: Ingress Filtering with Distribute-List and Route-Map
OSPF实验16:Ingress Filtering with Administrative Distance
拓扑图 (拓扑来自iewb,为了适应在模拟器进行试验,对部分接口作了改动)
实验11到15的拓扑图相同
clip_image002
模拟器配置OSPF11.NET (试验11到14的配置相同)
clip_image004
autostart = False
eghostios = true
sparsemem = True
[localhost]
port = 7200
udp = 11000
workingdir = ..\tmp\
`7200`
image = ..\IOS\unzip-c7200-advsecurityk9-mz.124-11.T.bin
model = 7200
npe = npe-400
confreg = 0x2142
# mmap = False
ram = 256
`router R1`
model = 7200
console = 3001
exec_area = 64
slot0 = C7200-IO-FE
slot1 = PA-4T+
F0/0 = SW 1
s1/0 = FR1 1
`router R5`
console = 3005
model = 7200
exec_area = 64
slot1 = PA-4T+
S1/0 = FR1 5
`router R4`
console = 3004
model = 7200
exec_area = 64
npe = npe-400
slot1 = PA-4T+
slot2 = PA-4E
e2/0 = SW 2
S1/0 = FR1 4
`router R6`
console = 3006
model = 7200
exec_area = 64
npe = npe-400
slot0 = PA-C7200-IO-GE-E
G0/0 = SW 3
`ethsw SW`
1 = access 2
2 = access 2
3 = access 2
`FRSW FR1`
1:105 = 5:501
4:405 = 5:504 `FRSW FR1`
1:105 = 5:501
4:405 = 5:504
###############################################################################
OSPF实验11: Configure OSPF topology with two Areas and two ABRs
###############################################################################
设备配置
R1配置
clip_image006
Fram-relay默认的类型NON_BROADCAST,所以这里在
Frame-relay map 映射语句最后没有加broadcast参数。
Ip ospf priority 0 是不参与DR和BDR选举,这里是为了确保R5选举为DR。
clip_image008
======================================================
R4配置
clip_image010
R4的配置同R1类似,解释见R1
clip_image012
clip_image014
=============================================
R5配置
clip_image016
上图配置这里没有ip ospf priority 语句配置接口的优先级。默认的优先级。
clip_image018
clip_image020
Neighbor的配置:因为接口类型为NON_BROADCAST,hello包无法传递,必须用neighbor来指定邻居,才能建立邻居关系。
===============================================================
R6配置
clip_image022
===========================================================
核查配置
R5 s1/0默认的优先级为1如下图(R1,R4用ip ospf pri 0语句设置为0),确保R5被选为DR。
clip_image024 R4 接口上优先级:
clip_image026
R1 接口上优先级:
clip_image028
邻居关系:
clip_image030
clip_image032
clip_image034
clip_image036
检查路由表
clip_image038
clip_image040
clip_image042
clip_image044
######################################################################
OSPF实验12: Using Type-3 LSA Inter-Area Filtering
#######################################################################
Directions
l Configure routers as per the OSPF scenario “Common Multi-Area
Configuration with 2 ABRs”
l Create prefix-list AREA1_FILTER_OUT . R1 and R4. Deny the
150.X.6.6/32 prefix and permit all other
l Apply this filter to prefixes coming out of Area 1 . R1 and R4
l Create prefix-list AREA1_FILTER_IN . R1 and R4. Deny the
150.X.5.5/32 prefix and permit all other
l Apply this filter to prefixes coming into Area 1 . R1 and R4
l Note that keyword “in” means coming into area, and “out” - coming out of
the area
R1和R4的配置
clip_image046
clip_image048
这是常用的域间路由的过滤方法,此实验目标是:
1.过滤R6的回环地址,不让它通过R1和R4传播到R5
2.过滤R5的回环地址,不让它通过R1和R4传播到R6
3.R1,R4能学习到R5和R6的回环地址。
===================================================
检验配置
在过滤配置没有应用之前 :R5中有R6回环地址的路由,R5中有R6回环地址的路由,见在上一个实验R5和R6的路由表。
在过滤配置应用后: 检查R5和R6的路由表。
clip_image050
发现R5中没有R6的回环地址,即没有150.1.6.6/32的路由条目。
clip_image052
发现R6中没有R5的回环地址,即没有150.1.5.5/32路由条目。
检查R1和R4路由表:
clip_image054
clip_image056
发现R1和R4有R5和R6的回环地址,并没有过滤掉。
######################################################################
OSPF实验13: Type-3 LSA Filtering with Network Ranges
######################################################################
Objective: Filter OSPF summary-prefixes using network ranges
Directions
l Configure routers as per the OSPF scenario “Common Multi-Area Configuration with 2 ABRs”
l Create network-range 150.1.6.0/24 for Area 1, add keyword
not-advertise” to block propagation of the summary
l Create network-range 150.1.5.0/24 for Area 0, add keyword
not-advertise” to block propagation of the summary
基本配置同"ospf实验11"(如果在“OSPF实验12”基础上配置,则去掉12实验上的配置,过滤列表。)
clip_image058
area range命令只能用在域边界路由器上。它用作对一个区域进行合并计算和汇总路由。其结果是一个概要路由被域边界路由器通告到其他区域。路由选择信息在区域边界被压缩。在区域外部,则是每一地址域通告给单个路由。这一过程称为路由汇总。 加上关键字not-advertise则表示这条汇总的路由不会被传播到该区域外部,从而起到了路由过滤的作用。
检查结果:show ip route ospf 查看通过OPSF学习到的路由
clip_image060
在R5中没有R6的回环地址150.1.6.6,表示过滤成功。
clip_image062
在R6中没有R5的回环地址150.1.5.5,表示过滤成功。
##################################################################
OSPF实验14: Ingress Filtering with Distribute-List
###################################################################
Directions
l Configure routers as per the OSPF scenario “Common Multi-Area
l Configuration with 2 ABRs”
l Create access-list 99 . R1 and R4. Deny the 150.1.6.6/32 prefix and
permit everything else with this access-list
l Apply access-list as distribute-list for OSPF processes . R1 and R4
l Note that distribute-list .ly block route from entering local RIB, and doesnot stop LSAs propagation
设备配置
R1和R4的配置
clip_image064
clip_image066
clip_image068
通过AC来匹配R6的回环地址,通过distribute-list来过滤路由。
clip_image070
clip_image072
R1和R4没有150.1.6.6/32路由条目。
clip_image074
R5上还是有150.1.6.6/32的路由
用show ip ospf neighbor检查R1邻居关系
clip_image076
上图说明:在R1上R1和R5有邻居关系,R1和R4也有邻居关系。
检查R4的邻居关系 clip_image078
上图说明:R4与R1,R4与R5都有邻居关系。
总结:从该实验结果可以看出,distribute-list的R1和R4已经学不到R6的回环地址,但R5能够学到。难道过滤没有起作用? 不,是因为 distribute-list只对本地路由表起作用,他不能阻止路由更新,R1和R4还是会把150.1.6.6/32的路由通过告到R5.
在R1和R4show ip ospf nei 发现R1和R4仍然有邻居关系,说明distribute-list对hello不起作用,仅仅阻止本地路由表。
##########################################################################
OSPF实验15:Ingress Filtering with Distribute-List and Route-Map
###########################################################################
O b jec t ive : Filter .ly external OSPF routes originating at specific router from
entering local IP routing table
D irections
u Configure routers as per the OSPF scenario “Common Multi-Area
u Configuration with 2 ABRs”
u Create static route 160.X.60.0/24 to Null0 . R6. Redistribute this route into OSPF . R6
u Create static route 160.X.50.0/24 to Null0 . R5. Redistribute this route
u into OSPF . R5
u Create access-list 1 . R1 and R4 and match host 150.1.6.6 (R6’s router- id) with it
u Create route-map FILTER_OSPF . R1 and R4. Deny external routes
u with this route-map, and permit all other types of routes. Configure route- map to match routes from R6 .ly, by matching route-source based . access-list 1
u Apply route-map FILTER_OSPF as ingress filter for OSPF processes . R1 and R4.
恢复到实验11基本配置后,继续做该实验
实验目的:分别在R5和R6上配置一条静态路由,重新分布进OSPF,作为一条外部路由(E2)。在R1和R4上,使用route-map来进行精确匹配,来自R6的外部路由被deny掉,其他的路由允许。
设备配置
R1和R4的配置如下
clip_image080
R5的配置
clip_image082
R6的配置
clip_image084
校验配置
clip_image086
R1和R4上都没有150.1.60.0的路由,说明过滤成功。
clip_image088
clip_image090
clip_image092
R5的show ip route 可以看出,R5仍然学到了来自R6外部路由,再次证明了disktribute-list只对本地路由表起作用,不会影响LSA传递到其他路由器。
##########################################################################
OSPF实验16:Ingress Filtering with Administrative Distance
##########################################################################
Directions
u Configure routers as per the OSPF scenario “Common Multi-Area Configuration with 2 ABRs”;
u Create static route 160.X.60.0/24 to Null0 . R6. Redistribute this route into OSPF . R6;
u The objective is to filter out prefixes 160.X.60.0/24 and 150.X.6.6/32 . R5;
u Note that prefix 160.X.60.0/24 is external prefix originated at R6, and 150.X.6.6/32 is summary prefix originated at R1 and R4;
u Create access-list 99 . R5 and match prefix 160.X.60.0 with it;
u Create access-list 98 . R5 and match prefix 150.X.6.6 with it;
u Under OSPF routing process at R5 change administrative distance for prefixes in access-list 99 originated at R6;
u Under OSPF routing process at R5 change administrative distance for prefixes in access-list 98 originated at R1 and R4;
设备配置
R5
修改从R6学来的外部路由的管理距离
修改从R1学来的R6回环地址的管理距离
修改从R1学来的R6回环地址的管理距离
clip_image094
clip_image096
管理距离为255的不会进入路由表。
clip_image098
clip_image100
clip_image102